Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 May 2016 06:24:44 +0000 (06:24 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 May 2016 06:24:44 +0000 (06:24 +0000)
commitb0642a0dc84b5f7f139052c261c19d688cde83a0
tree6cef8486d51739185f3a06cc219f9174d718152e
parentd26d15dfd630d6f79f442145948ee259e5bc4dcf
Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
https://bugs.webkit.org/show_bug.cgi?id=157080

Reviewed by Saam Barati.

Source/JavaScriptCore:

In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
In this patch, we add a new parameter, "slotBase". This represents the base value offering
this custom getter. And use it in ProxyObject's performGet custom accessor getter.

* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::staticFunctionGetter):
(JSC::JSCallbackObject<Parent>::callbackGetter):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
In PolymorphicAccess case, the thisValue and the slotBase are always cells.
This is because IC is enabled in the case that the base value is a cell.
And slotBase is always on the prototype chain from this base value.

* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jsc.cpp:
(WTF::CustomGetter::customGetter):
(WTF::RuntimeArray::lengthGetter):
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter):
* runtime/JSBoundSlotBaseFunction.cpp:
(JSC::boundSlotBaseFunctionCall):
* runtime/JSFunction.cpp:
(JSC::JSFunction::argumentsGetter):
(JSC::JSFunction::callerGetter):
* runtime/JSFunction.h:
* runtime/JSModuleNamespaceObject.cpp:
(JSC::callbackGetter):
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::customGetter):
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::performProxyGet):
* runtime/RegExpConstructor.cpp:
(JSC::regExpConstructorDollar):
(JSC::regExpConstructorInput):
(JSC::regExpConstructorMultiline):
(JSC::regExpConstructorLastMatch):
(JSC::regExpConstructorLastParen):
(JSC::regExpConstructorLeftContext):
(JSC::regExpConstructorRightContext):
(JSC::regExpConstructorDollar1): Deleted.
(JSC::regExpConstructorDollar2): Deleted.
(JSC::regExpConstructorDollar3): Deleted.
(JSC::regExpConstructorDollar4): Deleted.
(JSC::regExpConstructorDollar5): Deleted.
(JSC::regExpConstructorDollar6): Deleted.
(JSC::regExpConstructorDollar7): Deleted.
(JSC::regExpConstructorDollar8): Deleted.
(JSC::regExpConstructorDollar9): Deleted.
* tests/stress/proxy-get-with-primitive-receiver.js: Added.
(shouldBe):

Source/WebCore:

* bindings/js/JSDOMBinding.h:
(WebCore::nonCachingStaticFunctionGetter):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowWebKit):
* bindings/js/JSPluginElementFunctions.cpp:
(WebCore::pluginElementPropertyGetter):
* bindings/js/JSPluginElementFunctions.h:
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
(GenerateImplementation):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::lengthGetter):
* bridge/runtime_array.h:
* bridge/runtime_method.cpp:
(JSC::RuntimeMethod::lengthGetter):
* bridge/runtime_method.h:
* bridge/runtime_object.cpp:
(JSC::Bindings::RuntimeObject::fallbackObjectGetter):
(JSC::Bindings::RuntimeObject::fieldGetter):
(JSC::Bindings::RuntimeObject::methodGetter):
* bridge/runtime_object.h:

Source/WebKit2:

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::propertyGetter):
(WebKit::JSNPObject::methodGetter):
* WebProcess/Plugins/Netscape/JSNPObject.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201322 268f45cc-cd09-0410-ab3c-d52691b4dbfc
31 files changed:
Source/JavaScriptCore/API/JSCallbackObject.h
Source/JavaScriptCore/API/JSCallbackObjectFunctions.h
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
Source/JavaScriptCore/jit/CCallHelpers.h
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/CustomGetterSetter.cpp
Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp
Source/JavaScriptCore/runtime/JSFunction.cpp
Source/JavaScriptCore/runtime/JSFunction.h
Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
Source/JavaScriptCore/runtime/PropertySlot.cpp
Source/JavaScriptCore/runtime/PropertySlot.h
Source/JavaScriptCore/runtime/ProxyObject.cpp
Source/JavaScriptCore/runtime/RegExpConstructor.cpp
Source/JavaScriptCore/tests/stress/proxy-get-with-primitive-receiver.js [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMBinding.h
Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Source/WebCore/bindings/js/JSPluginElementFunctions.cpp
Source/WebCore/bindings/js/JSPluginElementFunctions.h
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bridge/runtime_array.cpp
Source/WebCore/bridge/runtime_array.h
Source/WebCore/bridge/runtime_method.cpp
Source/WebCore/bridge/runtime_method.h
Source/WebCore/bridge/runtime_object.cpp
Source/WebCore/bridge/runtime_object.h
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.h